Behavioral Document Protection
Delivering malware through documents, such as attachments in phishing emails, is one of the most popular methods that attackers use to lure victims to download, open and execute malicious code.
With Behavioral document protection, the Cybereason platform detects and quarantines Word, Excel, PowerPoint, and Rich Text Format (RTF) documents that include malicious code.
Note
You can set the Behavioral document protection feature to different modes and sensitivity levels, and use exclusions to exclude legitimate documents or disable Behavioral document protection in specific scenarios. For more information, see Set the Behavioral Document Protection AI Modes.
There are two types of Behavioral document protection available:
Behavioral Document Protection AI
Rule-based Behavioral Document Protection
To learn about supported platforms for Behavioral document protection, see Endpoint machine prevention features.
In this topic:
Behavioral document protection analysis
The Cybereason platform first identifies documents that contain code, such as macros, and then analyzes the potential behavior of the identified macros. If a macro within a document is detected as malicious, the document is immediately quarantined.
The Cybereason platform analyzes documents when they are accessed, such as when they are written to disk, which ensures that all such documents are analyzed before any application can load them.
The Cybereason platform empowers security analysts to investigate and hunt by collecting and providing detailed information about document-related risks. This information applies both to documents that contain threats that the Cybereason platform has already detected or prevented and to any document that includes code, even if the Cybereason platform eventually classifies the code as non-malicious.
Behavioral document protection is part of the Cybereason platform’s Anti-Malware solution, which analyzes every file as it is being accessed. Anti-Malware is also used for Signature-based analysis. Behavioral document protection is available with on-access scans, but is not available with on-demand and scheduled scans.
Note
If the Anti-Malware > Signatures mode is set to Disabled, Behavioral document protection continues to collect data but does not prevent malicious documents from running. For more details, see When do you use Behavioral Document Protection.
Behavioral Document Protection AI
The Cybereason platform utilizes a machine learning algorithm to analyze documents to identify if they contain malicious macros.
The machine learning algorithm is based on a deep neural network to provide data driven and automated selection of rules to provide enhanced protection from malicious macros contained within documents.
For more information on how to manage Behavioral Documentation Protection AI, see Set the Behavioral Document Protection AI Modes.
If a sensor policy contains sensors on versions earlier than 22.1.105 and also sensors on versions 22.1.105 and later, your Cybereason environment uses both Rule-Based Behavioral Document Protection and Behavioral Document Protection AI. The type of Behavioral Document Protection that the Cybereason platform uses is based on the sensor version.
Rule-Based Behavioral Document Protection
Behavioral Document Protection utilizes over 100 Yara rules to analyze documents to identify if they contain malicious macros.
These Yara rules are developed by the Cybereason security research team based on the latest security intelligence to protect your environment from attack from malicious macros contained within documents.
For more information on how to manage Rule Based Behavioral Documentation Protection, see Set the Rule-Based Behavioral Document Protection Modes.
Behavioral Document Protection availability by sensor version
The type of Behavioral Document Protection available is dependent on the sensor version:
Versions earlier than 22.1.105: Only rule-based Behavioral Document Protection is available.
Versions 23.1.x through 23.1.4x: Rule-based Behavioral Document Protection is the default. AI-based Behavioral Document Protection can be made available by opening a Technical Support case.
Version 23.1.8X and higher: Rule-based and AI-based Behavioral Document Protection are both available in the UI. Customers can enable one or the other, or both. If both are enabled, rule-based Behavioral Document Protection is used for sensors earlier than 22.1.28X or 23.1.8X. AI-based Behavioral Document Protection is used for sensors 22.1.28X and 23.1.8X and later.
When do you use Behavioral Document Protection
When Behavioral document protection is enabled, documents are analyzed in one of the following scenarios:
Scenario |
Details |
|---|---|
A user attempts to download or open a Microsoft Office document, and Signature-based analysis scans the document |
|
A user opens a Microsoft Office document, and Cybereason collects data on the document as part of the Non-executable file data collection feature |
This scenario occurs only when Non-executable file data collection is set to On, and one or more of the following options is selected:
Note In this scenario, Behavioral document protection continues to collect data but does not prevent malicious documents from running. In this scenario, the Signatures mode under System > Policies Management > Create/Edit Policy > Anti-Malware is set to Disabled, and the Behavioral document protection mode is set to Detect. |
Scenario 1 example
An organization is using Cybereason with the following settings:
The Anti-Malware > Signatures mode is set to Disinfect or Quarantine.
The Behavioral document protection mode is set to Quarantine.
The Behavioral document protection sensitivity level is set to Aggressive.
A user receives an email that contains a Microsoft Office document as an attachment. The document includes malicious macros that are invisible to the user.
The user double-clicks the attachment.
Cybereason triggers Behavioral document protection to check for malicious macros.
Cybereason quarantines the document.
For a list of actions that Cybereason takes if Anti-Malware > Signatures mode is set to a value other than Quarantine, see Behavioral document protection modes and Signatures modes.
Related Detections:
The Cybereason platform triggers a Malicious document Endpoint Protection MalOp with the Quarantined detection status.
The Cybereason platform triggers a Document contains macro Evidence. For a list of Evidences, see the File and Image file element under Feature Values per Element.
The Cybereason platform triggers a Document contains autorun malicious macro suspicion For a list of Suspicions, see the File and Image file element under Feature Values per Element.
Scenario 2 example
An organization is using Cybereason with the following settings:
The Non-executable file data collection feature is enabled
The Anti-Malware > Signatures mode is set to Disabled
The Behavioral document protection mode is set to Detect.
The Behavioral document protection sensitivity level is set to Aggressive.
A user receives an email that contains a Microsoft Office document as an attachment. The document includes malicious macros that are invisible to the user.
The user opens the document, and the Cybereason platform collects data on the document.
The Cybereason triggers Behavioral document protection to check for malicious macros.
If Cybereason detects a malicious macro, the Cybereason platform detects a malicious macro and performs the following actions:
Related detections:
The Cybereason platform triggers a Malicious document Endpoint Protection MalOp with the Detected detection status.
The Cybereason platform triggers a Document contains macro Evidence. For a list of evidences, see the File and Image file element under Feature Values per Element.
The Cybereason platform triggers a Document contains autorun malicious macro suspicion. For a list of suspicions, see the File and Image file element under Feature Values per Element.
Note
Endpoint Protection MalOps refer to the new representation of malware alerts in the Malops management screen. Malware alerts will remain visible in the Malware alerts screen temporarily, during the transition to the new Malops management screen.